--- - name: install cups packages ansible.builtin.package: name: cups state: installed - name: create cups systemd override directory ansible.builtin.file: path: /etc/systemd/system/cups.service.d state: directory mode: 0755 owner: root group: "{{ ansible_wheel }}" - name: configure cups keytab location ansible.builtin.copy: dest: /etc/systemd/system/cups.service.d/keytab.conf content: "[Service]\nEnvironment=KRB5_KTNAME=FILE:/etc/cups/cups.keytab\n" mode: 0644 owner: root group: "{{ ansible_wheel }}" - name: enable gssapi authentication from cups ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf regexp: "^DefaultAuthType .*" line: "DefaultAuthType Negotiate" notify: restart cups - name: disable cups plain text port ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf regexp: "^#?Listen (.*:)?631" line: "#Listen 631" notify: restart cups - name: set ssl listen port ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf line: "SSLListen 631" insertafter: "Listen /var/run/cups/cups.sock" notify: restart cups - name: require tls 1.3 ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf line: "SSLOptions MinTLS1.3" insertafter: "SSLListen 631" notify: restart cups - name: write all requests to cups access log ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf line: "AccessLogLevel all" insertafter: "LogLevel warn" notify: restart cups - name: disable printer advertisements ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf regexp: "^BrowseLocalProtocols .*" line: "BrowseLocalProtocols none" notify: restart cups - name: link private key ansible.builtin.file: dest: "/etc/cups/ssl/{{ inventory_hostname }}.key" src: "{{ tls_private }}/{{ inventory_hostname }}.key" state: link owner: root group: "{{ ansible_wheel }}" follow: false force: true notify: restart cups - name: link certificate ansible.builtin.file: dest: "/etc/cups/ssl/{{ inventory_hostname }}.crt" src: "{{ tls_certs }}/{{ inventory_hostname }}.crt" state: link owner: root group: "{{ ansible_wheel }}" follow: false force: true notify: restart cups - name: disable printer advertising ansible.builtin.lineinfile: path: /etc/cups/cupsd.conf regexp: "^Browsing .*" line: "Browsing No" notify: restart cups - name: disable unauthenticated access from cups ansible.builtin.blockinfile: path: /etc/cups/cupsd.conf insertafter: "^" block: | AuthType Default Require user @foosh notify: restart cups - name: configure cups admin group ansible.builtin.lineinfile: path: /etc/cups/cups-files.conf regexp: "^SystemGroup .*" line: "SystemGroup root sysadm" notify: restart cups - name: add static files to cups web interface ansible.builtin.copy: dest: "/usr/share/cups/www/{{ item }}" src: "{{ item }}" mode: 0644 owner: root group: "{{ ansible_wheel }}" with_items: - logo.png - local.css - name: create custom header for cups web interface ansible.builtin.copy: dest: /usr/share/cups/templates/header.tmpl src: header.tmpl mode: 0644 owner: root group: "{{ ansible_wheel }}" - name: disable cups socket service ansible.builtin.systemd: name: cups.socket enabled: false state: stopped - name: enable cups service ansible.builtin.service: name: cups enabled: true state: started